diff --git a/flake.nix b/flake.nix index 9669676..f4e8e0b 100644 --- a/flake.nix +++ b/flake.nix @@ -71,16 +71,21 @@ ]; }; - tadpole = inputs.nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; + tadpole = + let + system = "x86_64-linux"; + in + inputs.nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs; + }; + modules = [ + ./hosts/tadpole/configuration.nix + ./hosts/tadpole/home.nix + inputs.whib-backend.nixosModules.${system}.default + ]; }; - modules = [ - ./hosts/tadpole/configuration.nix - ./hosts/tadpole/home.nix - ]; - }; test-vm = let diff --git a/hosts/tadpole/modules/certs/default.nix b/hosts/tadpole/modules/certs/default.nix index e845a61..8048f4e 100644 --- a/hosts/tadpole/modules/certs/default.nix +++ b/hosts/tadpole/modules/certs/default.nix @@ -17,6 +17,16 @@ webroot = "/var/lib/acme/acme-challenge/"; group = "nginx"; }; + + "api.whib.ppp.pm" = { + webroot = "/var/lib/acme/acme-challenge/"; + group = "nginx"; + }; + + "grafana.whib.ppp.pm" = { + webroot = "/var/lib/acme/acme-challenge/"; + group = "nginx"; + }; }; }; } diff --git a/hosts/tadpole/modules/default.nix b/hosts/tadpole/modules/default.nix index 9954f50..b33c937 100644 --- a/hosts/tadpole/modules/default.nix +++ b/hosts/tadpole/modules/default.nix @@ -22,6 +22,7 @@ in }; pppdotpm-site.enable = true; + whib-backend.enable = true; }; }; } diff --git a/hosts/tadpole/modules/whib/default.nix b/hosts/tadpole/modules/whib/default.nix new file mode 100644 index 0000000..e12e428 --- /dev/null +++ b/hosts/tadpole/modules/whib/default.nix @@ -0,0 +1,71 @@ +{ + pkgs, + lib, + config, + ... +}: +let + enabled = config.mod.whib-backend.enable; +in +{ + options = { + mod.whib-backend = { + enable = lib.mkEnableOption "enable WHIB backend"; + }; + }; + + config = lib.mkIf enabled { + assertions = [ + { + assertion = config.services.nginx.enable; + message = "Option 'config.services.nginx' must be enabled"; + } + ]; + + services.whib-backend = { + enable = true; + + backend = { + signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})"; + domain = "api.whib.ppp.pm"; + useACMEHost = "api.whib.ppp.pm"; + }; + + postgres = { + database = "whib"; + host = "postgres"; + port = "5432"; + user = "whib"; + password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})"; + + backup = { + interval = "*-*-* 00:00:00 UTC"; + + gpgPassphraseFile = config.age.secrets.whib-gpg-key.path; + + backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})"; + backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})"; + backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})"; + }; + }; + + grafana = { + domain = "grafana.whib.ppp.pm"; + useACMEHost = "grafana.whib.ppp.pm"; + + password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})"; + }; + }; + + age.secrets = { + "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age; + "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age; + "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age; + + "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age; + "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age; + "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age; + "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age; + }; + }; +}